Shibboleth Developers

[Tom Scavo <>]

On Wed, 5 Jan 2005 12:44:25 -0500, Scott Cantor 
<>
 wrote:
> > The spec says that AssertionConsumerServiceIndex and
> > AssertionConsumerServiceURL are mutually exclusive, yes, but it says
> > no such thing about ProtocolBinding AFAIK.  This may be the intent (it
> > makes sense actually) but the spec does [not] say this.
> 
> Read the latest draft (3a). ;-)

That's not fair! :-)

> > In any event, what I hear you saying is that
> > AssertionConsumerServiceIndex is more likely to be used than
> > AssertionConsumerServiceURL, correct?
> 
> Yep.

Then that's what I'll use in my example, thanks.
 
> > Actually, there's more in the profile doc than anywhere else.  It's
> > where I obtained my (naive) understanding of the attribute.
> 
> You're right, I lost that argument and forgot I lost it. I don't like
> duplicating text, and AFAICT profiles is just repeating core.

It wasn't duplicated text for me.  Maybe it belongs in core, I don't
know, but I'd sure hate to lose it altogether.

> > What about transient identifiers?  Will a transient identifier be
> > created if AllowCreate is omitted?
> 
> Ultimately, it's up to the IdP in some sense, but a strict reading would say
> no, since by definition every such identifier is "new".

Then I would argue that AllowCreate will be used more often than not. 
It may not be necessary in the example I posted earlier, but it's
surely not a "rare" attribute.

> That's one reason I wanted the default to be true.

I agree.

Thanks for the clarification,
Tom